23.7 “Restless Roadrunner” Series

For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

23.7, nicknamed “Restless Roadrunner”, features numerous MVC/API conversions including the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

23.7.12 (January 16, 2024)

One more release it was indeed. We have added considerable backend work for improving security and adding a streaming function to avoid memory exhaustion for data-intense data exchanges. Note this is in preparation for 24.1 where these will be used, but direct use in 23.7 is avoided to lower the possibility for regressions.

The release date for 24.1 is January 30 and we approaching this differently this time with release candidates only being available from the development version meaning there will be no installation media before the final release.

While RC1 is mostly ready the publication is currently on hold due to chasing down a kernel panic. Watch out for the release notes of the RC1. It should be available this week with a follow-up RC2 in the following week.

Here are the full patch notes:

  • system: change ZFS transaction group defaults to avoid excessive disk wear [1]

  • firewall: validate if GeoIP and BGP ASN targets contain at least 1 kb of data before assuming timestamp is correct

  • firmware: automatically install os-squid plugin install when web proxy is enabled before major upgrade

  • firmware: refactor export and scrub Unbound DNS database before major upgrade

  • firmware: disallow TLS lower than 1.3 on business mirror

  • openvpn: add validation for netmask greater than 29 exactly as specified in the OpenVPN source code

  • backend: support streaming output using the “stream_output” handler

  • backend: implement optional trust model and add extended logging

  • backend: support optional configd configuration files

  • mvc: add an IPPortField type

  • mvc: split configdRun() in order to return a resource which the controller can stream with minimal memory consumption

  • ui: fix the missing dialog padding in some modals

  • ui: set a default data-size for increased readability in selectpickers

  • ui: show tooltip when grid td content does not fit

  • plugins: os-bind 1.29 [2]

  • plugins: os-ddclient 1.20 [3]

  • plugins: os-frr 1.38 [4]

  • plugins: os-node_exporter 1.2 [5]

  • plugins: os-sunnyvalley 1.4 switches to new repository layout

  • ports: py-netaddr 0.10.1 [6]

  • ports: sudo 1.9.15p5 [7]

A hotfix release was issued as 23.7.12_5:

  • reporting: print status message when Unbound DNS database was not found during firmware upgrade

  • firmware: enable upgrade path to 24.1

  • backend: only parse stream results when configd socket could be opened

23.7.11 (January 04, 2024)

The final test phase for 24.1 is starting just as 23.7 strechtes towards its inevitable end of life. At the moment it is unlcear if this release will be the last one or not so we shall refrain from stating something that may not be true in the coming weeks. ;)

Of special note is the Python rewrite of the relevant FreeBSD certctl tool bits that are needed to register certificates in the system. It should be about 30 times faster now than it was before.

Here are the full patch notes:

  • system: implement relevant certctl tool functionality in Python to increase performance

  • system: fix log severity selector (contributed by kulikov-a)

  • system: include IPv6 link-local interface addresses for web GUI and OpenSSH (contributed by Maurice Walker)

  • system: update cron and gateways model

  • interfaces: obey menu group sequence when specified

  • firewall: fix traceback in OpenVPN group alias due to wrong return type

  • firewall: fix missing physical_interface() in shaper template

  • dhcp: cache backend action “interface list macdb” to increase responsiveness

  • dhcp: allow saving with invalid range when IPv4 server is disabled

  • dhcp: do not clobber $range_to / $range_from with the legacy test for lower 64 bit only input

  • firmware: opnsense-update: avoid rewriting .cshrc and .profile files on base set updates

  • firmware: add audit messages for relevant API actions

  • firmware: implement “always reboot” option

  • firmware: add unlocked mode to launcher script

  • firmware: use pluggable package repository scripts

  • lang: assorted language updates

  • network time: prevent the service from listening on a wildcard when selecting specific interfaces (contributed by doktornotor)

  • openvpn: add virtual IPv6 address to widget and status page (contributed by cs-1)

  • openvpn: consider clients missing CARP VHID as disabled

  • unbound: replace JustDomains with Firebog blocklists (contributed by Amy Nagle)

  • unbound: update root hints

  • plugins: os-acme-client 3.20 [1]

  • plugins: os-ddclient 1.19 [2]

  • plugins: os-wireguard 2.6 [3]

  • ports: curl 8.5.0 [4]

  • ports: nss 3.95 [5]

  • ports: php 8.2.14 [6]

  • ports: py-netaddr 0.10.0 [7]

  • ports: squid 6.6 [8]

  • ports: sudo 1.9.15p4 [9]

23.7.10 (December 12, 2023)

A number of FreeBSD source code changes accumulated so it is better to have them delivered to your doorstep before the holidays are in full swing.

Here are the full patch notes:

  • system: improve config revision audit ability

  • system: cleanse system_get_language_code() output

  • system: safeguard /tmp/PHP_errors.log file before usage

  • system: add an optional random delay before executing remote backups

  • system: fix regression in log viewer level selector

  • reporting: OpenVPN server instances were missing from respective health graph

  • interfaces: move interface list widget link to assignments page

  • interfaces: add new backend jobs and extend with optional parameter

  • interfaces: add validation for proxy ARP strict subnet use

  • firewall: improve alias write behaviour by checking for changes beforehand

  • firewall: fix preg_replace() to avoid truncated network display in rules listing

  • firewall: add an ifconfig.debug file

  • firmware: switch bogons/changelog set base URL to portable “opnsense-update -X” call

  • ipsec: move save button on mobile page into its own container

  • ipsec: add support for RADIUS class groups in instances

  • unbound: use tls-system-cert instead of tls-cert-bundle

  • web proxy: fix setting unknown language directory

  • ui: upgrade jqTree to version 1.7.5

  • plugins: os-ddclient 1.18 [1]

  • plugins: os-dec-hw 1.0 is a Deciso hardware specific dashboard widget

  • plugins: os-net-snmp fix for directory setup (contributed by doktornotor)

  • plugins: os-telegraf 1.12.10 [2]

  • plugins: os-upnp now reloads on newwanip event

  • plugins: os-wireguard fix for missing firewall reload

  • plugins: os-wireguard-go fix for device registration

  • src: clang: sanitizer failure with ASLR enabled [3]

  • src: dhclient: do not add 0.0.0.0 interface alias

  • src: ice: match irdma interface changes

  • src: ixv: separate VFTA table for each interface

  • src: libnetmap: better fix for port parsing failure

  • src: pf: expose more syncookie state information to userspace

  • src: pf: fix mem leaks upon vnet destroy

  • src: pf: remove incorrect fragmentation check [4]

  • src: rc: fix restart _precmd issue with _setup

  • src: re: add support for 8168FP HW rev

  • src: zfs: check dnode and its data for dirtiness in dnode_is_dirty() [5]

  • ports: perl 5.36.3 [6]

  • ports: php 8.2.13 [7]

  • ports: phpseclib 3.0.34 [8]

  • ports: squid update fixes parent proxy crash [9]

  • ports: strongswan 5.9.13 [10]

A hotfix release was issued as 23.7.10_1:

  • mvc: provide iterateRecursiveItems() in BaseModel required by IPsec RADIUS support

  • ports: openssh 9.6p1 [11]

23.7.9 (November 23, 2023)

As the end of the year inches closer the changes published today are naturally smaller additions and cleanups, notably changes for IPsec VTI connection for IPv6 and dual-stack operation, a possible OpenVPN CSO mismatch bug and optional support for SHA-512 password hashing.

Note that the HTTPS bump for the firmware mirrors updates the published URLs in the firmware selection, but if you already use LeaseWeb or NYC BUG you need to reselect them in order to move from HTTP to HTTPS connectivity.

Of further note is that the Squid web proxy will be moved to a plugin in version 24.1 but for everyone using it the upgrade procedure will make sure to install it automatically when enabled. A meta package was added to the plugins already in order for this to work just in case there are questions about what it is supposed to be doing… apart from providing dependencies it does not do anything at the moment. ;)

Last but not least, we have been successfully testing and ironing out OpenSSL 3 ports builds in the past week and inclusion in 24.1 seems very likely at this point. The effort continues and we will also be looking into backport material from FreeBSD 13 stable branches for further preparation.

Here are the full patch notes:

  • system: add SHA-512 password hash compliance option

  • system: allow special selector for plugins_configure()

  • system: handle broken menu XML files more gracefully

  • system: fix PHP warnings and SSH fail on empty “ssh” XML node

  • system: fix a couple of PHP warnings in auth server pages

  • system: add support for Google Shared drives backup (contributed by Jeremy Huylebroeck)

  • system: change wait time to 1 second per round, total of 7 in console prompts

  • system: update syslog model

  • interfaces: mark WireGuard devices as virtual

  • interfaces: update LAGG and loopback models

  • interfaces: improve VIP validation, fix broadcast generation

  • firewall: make sure firewall log reading always emits a label

  • firewall: fix business bogons set fetch

  • firewall: add section for automatic rules being added at the end of the ruleset

  • firewall: allow multiple networks given to wrap in the GUI

  • captive portal: fix log target

  • firmware: stop manually adjusting firmware config structure during factory reset

  • firmware: clear stray “pkgsave” and “pkgtemp” pkg-upgrade leftovers

  • firmware: changed LeaseWeb and NYC BUG mirrors to use HTTPS (contributed by jeremiah-rs)

  • firmware: opnsense-update: new “-X” mode for canonical bogons/changelog set fetch URL

  • firmware: opnsense-version: support base/kernel hash info

  • ipsec: mute ipsec.conf related load errors

  • ipsec: fix typo in VTI protocol family parsing

  • ipsec: add secondary tunnel address pair for VTI dual-stack purposes

  • ipsec: add “aes256-sha256” proposal option (no PFS)

  • openvpn: obey username_as_common_name setting

  • backend: add physical_interface and physical_interfaces as template helper function

  • backend: add file_exists as template helper function

  • mvc: instead of failing invalidate a non-match in CSVListField

  • mvc: split tree-view template and javascript and hook via controllers

  • ui: upgrade bootstrap-select to v1.13.18

  • ui: improve saveFormToEndpoint() UX

  • plugins: os-ddclient 1.17 [1]

  • plugins: os-frr 1.37 [2]

  • plugins: os-squid adds a meta package for web proxy core removal in 24.1

  • ports: openvpn 2.6.8 [3]

  • ports: sqlite 3.44.0 [4]

  • ports: sudo 1.9.15p2 [5]

  • ports: unbound 1.19.0 [6]

23.7.8 (November 09, 2023)

The configuration restore GUI has been improved in a number of ways due to recent demand and Squid was updated to the new major release version 6.

A number of reliability improvements were also added to the WireGuard kernel plugin which from our perspective is now ready for core inclusion. The documentation is being updated accordingly, but will take a bit more time to ensure consistency following up on the GUI changes it received.

This update also includes FreeBSD security advisories and assorted fixes. We are aware of OpenSSL 1.1.1 CVE-2023-5678 and we are already testing builds based on OpenSSL 3 which can be available in 24.1 when it does not negatively impact overall operation. We also expect fixes for version 1 to be available sooner, but without OpenSSL providing such fixes directly the roundtrip time is likely going to increase for them.

Here are the full patch notes:

  • system: minor changes related to recent Gateway class refactoring

  • system: use unified style for “return preg_match” idiom so the caller receives a boolean

  • system: provide mismatching interface logic without reboot on configuration restore

  • system: allow new backup API to download latest configuration directly via /api/core/backup/download/this

  • system: extend restore to be able to migrate older configurations cleanly

  • system: make trust store reload conditional

  • interfaces: assorted bridge handling improvements

  • interfaces: ignore ULAs for primary IPv6 detection

  • interfaces: improve wireless channel parsing

  • firewall: keep filtered items available longer in live log

  • firewall: when migrating aliases make sure that nesting does not fail

  • firewall: port can be zero in automatic rule so render it accordingly

  • firewall: minor update to shaper model

  • firmware: invalidate GUI caches earlier since certctl blocks this longer now

  • firmware: add root file system to health audit

  • monit: minor update to model

  • lang: update Chinese, Czech, Italian, Korean, Polish and Spanish

  • openvpn: host bits must not be set for IPv4 server directive in instances

  • unbound: minor update to model

  • unbound: remove localhost from automatically created ACL

  • web proxy: handle the major update to version 6 and update model

  • mvc: enforce uniqueness and remove validation message in UnqiueIdField

  • mvc: config should be locked before calling checkAndThrowSafeDelete()

  • ui: prevent form submit for MVC pages

  • ui: improve default modal padding

  • plugins: os-bind 1.28 [1]

  • plugins: os-openconnect 1.4.5 [2]

  • plugins: os-wireguard 2.5 [3]

  • src: pfctl: fix incorrect mask on dynamic address

  • src: libpfctl: assorted improvements

  • src: msdosfs: zero partially valid extended cluster [4]

  • src: copy_file_range: require CAP_SEEK capability [5]

  • src: fflush: correct buffer handling in __sflush [6]

  • src: cap_net: correct capability name from addr2name to name2addr [7]

  • src: regcomp: use unsigned char when testing for escapes [8]

  • ports: lighttpd 1.4.73 [9]

  • ports: php 8.2.12 [10]

  • ports: squid 6.5 [11]

  • ports: sudo 1.9.15 [12]

A hotfix release was issued as 23.7.8_1:

  • interfaces: prefer GUAs over ULAs when returning addresses

  • plugins: os-c-icap fix for upstream update syntax error (contributed by Andy Binder)

23.7.7 (October 25, 2023)

The user experience of several pages has been improved. And this update is also shipping several FreeBSD-based changes for further reliability as well as core fixes and improvements as they came up on GitHub or the forum in the last weeks.

A word of caution for third party repository users. FreeBSD currently changes a number of things in their ecosystem. The first change is the move of the “openssl” package to “openssl111” since the former is now based on version 3. This can and likely will disrupt updates of third party packages not having followed this change. While we want to use OpenSSL 3 eventually being in the middle of a stable run is not the time and place to do it. Secondly, FreeBSD makes its port stop relying on ca_root_nss package trust store provided by Mozilla which introduces technical barriers for integration of our own trust store. This update changes curl to not use the old bundle files, but then also ensures that the base system will register all CA certificates brought in by our trust store as well. The biggest caveat at the moment is that this process is slower than before and may end up untrusting user CAs if they happen to be on the FreeBSD-provided untrusted list. During upgrades you will see when it writes the trust files and bundles and if any errors occur.

In both instances we feel nothing can be gained in postponing these changes so we are carrying them out swiftly after ensuring they do the right thing for our user base and voicing our reservations where it matters.

You can also find and follow us on Bluesky now:

https://bsky.app/profile/opnsense.org

Here are the full patch notes:

  • system: rewrite trust integration for certctl use

  • system: improve UX on new configuration history page

  • system: update recovery pattern for /etc/ttys

  • system: improve service sync UX on high availability settings page

  • system: migrate gateways to model representation

  • system: detect a on/off password shift when syncing user accounts

  • system: improve backup restore area selection

  • system: keep polling if watcher cannot load a class to fetch status

  • system: add “Constraint groups” option to LDAP authentication

  • reporting: refactor RRD data retrieval and simplify health page UX

  • interfaces: make link-local VIPs unique per interface

  • interfaces: make VIPs sortable and searchable

  • interfaces: improve assignments page UX and simplify its bridge validation

  • interfaces: allow multiple IP addresses in DHCP reject clause (contributed by Csaba Kos)

  • interfaces: enable IPv6 early on trackers

  • interfaces: do not reload filter in rc.linkup

  • interfaces: add input validations to VXLAN model (contributed by Monviech)

  • interfaces: add NO_DAD flag to static IPv6 configurations

  • interfaces: fix config locking when deleting a VIP node

  • firewall: sort auto-generated rules by priority set

  • firewall: fix regression in BaseContentParser throwing an error

  • firmware: stop using the “pkg+http(s)” scheme which breaks using newer pkg 1.20

  • ipsec: count user in “Overview” tab and improve “Mobile Users” tab (contributed by Monviech)

  • ipsec: make description in connections required (contributed by Michael Muenz)

  • ipsec: connection proposal sorting and additions

  • lang: assorted updates and completed French translation

  • openvpn: change verify-client-cert to a server only setting and fix validation

  • openvpn: do not flush state table on linkdown

  • unbound: avoid dynamic reloads when possible

  • unbound: add support for wildcard domain lists

  • unbound: improved UX of the overrides page

  • backend: pluginctl: improve listing plugins of selected type

  • mvc: add hasChanged() to detect changes to the config file

  • mvc: allow empty value in UniqueConstraint if not required by field

  • mvc: improve field validation message handling

  • mvc: fix regression in PortField with setEnableAlias() that would lowercase alias names

  • mvc: style update in diagnostics, firewall, intrusion detection and ipsec models

  • ui: fix the styling of the base form button when overriding the label

  • ui: trigger change message on toggle and delete

  • plugins: os-nginx 1.32.2 [1]

  • plugins: os-radsecproxy fixes for stale rc script / pidfile issues

  • plugins: os-rspamd 1.13 [2]

  • plugins: os-theme-ciada fix for previous regression

  • plugins: os-wireguard 2.4 [3]

  • src: pf: enable the syncookie feature for IPv6

  • src: pflog: log packet dropped by default rule with drop

  • src: re: add Realtek Killer Ethernet E2600 IDs

  • src: libnetmap: fix interface name parsing restriction

  • src: tun/tap: correct ref count on cloned cdevs

  • src: bpf: fix writing of buffer bigger than PAGESIZE

  • src: net: check per-flow priority code point for untagged traffic

  • src: libpfctl: implement status counter accessor functions

  • src: pf: expose syncookie active/inactive status

  • src: iavf: add explicit ifdi_needs_reset for VLAN changes

  • src: vmxnet3: do restart on VLAN changes

  • src: iflib: invert default restart on VLAN changes

  • src: pf: fix state leak

  • ports: curl 8.4.0 [4]

  • ports: lighttpd 1.4.72 [5]

  • ports: nss 3.94 [6]

  • ports: openssl111 supersedes openssl package

  • ports: perl 5.36.1 [7]

  • ports: suricata 6.0.15 [8]

A hotfix release was issued as 23.7.7_1:

  • firmware: speed up saving the firmware settings by avoiding the newly extended trust store rewrite

  • firmware: opnsense-update: fix mirror replacement broken by pkg 1.20 compatibility effort

A hotfix release was issued as 23.7.7_3:

  • reporting: fix regression in single measurement RRD data reads

  • ipsec: re-add previously missing PRF hashing options to GCM cipher selection

23.7.6 (October 11, 2023)

This update is a maintenance release improving the DS-Lite use via separate GIF tunnels on top of IPv6-only connectivity. We are still continuing the efforts to provide better MVC integration for the gateways abstraction as well as working towards better MVC model consistency.

We would like to thank GitHub user Monviech for his special contributions in the documentation on the subject of reflection and hairpin NAT [1] .

Here are the full patch notes:

  • system: do not mark “defunct” gateway as “disabled” as well

  • system: skip all unusable gateways for monitoring

  • system: simplify the code in dpinger_status()

  • system: rewrite configuration history using MVC/API

  • interfaces: drop obsolete PPP default route handling

  • interfaces: change GRE/GIF to split reload per address family on dynamic connectivity

  • interfaces: prevent reading stale configuration data in interfaces_has_prefix_only()

  • interfaces: for consistency bootstrap the implicit ‘none’ value of the IP address modes

  • interfaces: prevent extended array data from being passed in interface_bring_down()

  • interfaces: fix warning due to use of an unassigned variable

  • firewall: quote “a/n” protocol in pf.conf to avoid a syntax error

  • firewall: fix wrong link to virtual IP page

  • firewall: add “Interface / Invert” rule toggle

  • firewall: fix help button in dialog for categories

  • firewall: update alias and shaper models

  • captive portal: update model

  • dhcp: fix “ends never” parsing in DHCPv6 lease page

  • dhcp: add scope to link-local DHCPv6 static mapping when creating route for delegated prefix (contributed by Maurice Walker)

  • dhcp: merge_ipv6_address() was too intrusive

  • intrusion detection: update model and persist values for transparency

  • intrusion detection: improve locking during sqlite database creation

  • ipsec: add IP4_DNS and IP6_DNS configuration payloads to connection pools (contributed by Monviech)

  • ipsec: require setting a connection pool name

  • ipsec: update models

  • monit: update model

  • openvpn: allow instances authentication without certificates when verify_client_cert is set to none

  • openvpn: add role to “proto” for TCP sessions as required for TAP type tunnels

  • openvpn: missing “selectpicker” class on VHID selector

  • openvpn: update model

  • backend: template reload wildcard was returning “OK” on partial failures

  • mvc: emit correct message on required validation in BaseField

  • mvc: throw on template reload issues in mutable service controller

  • mvc: inline one time use of $parentKey

  • mvc: set Required=Y for GroupNameField

  • mvc: remove special validation messages likely never seen

  • mvc: introduce isVolatile() for BaseModel

  • mvc: propagate isFieldChanged() from connected children in ArrayField

  • ui: remove the bootstrap-select version from the provided file in the default theme

  • plugins: remove the bootstrap-select version from the provided file in all themes

  • plugins: os-crowdsec 1.0.7 [2]

  • plugins: os-smart reverts the use of smartctl to gather disks

  • plugins: os-telegraf 1.12.9 [3]

  • plugins: os-theme-rebellion 1.8.9 fixes Unbound DNS reporting page

  • plugins: os-wireguard 2.3 [4]

  • ports: php 8.2.11 [5]

  • ports: syslog-ng 4.4.0 [6]

23.7.5 (September 26, 2023)

Today introduces a change in MTU handling for parent interfaces mostly noticed by PPPoE use where the respective MTU values need to fit the parent plus the additional header of the VLAN or PPPoE. Should the MTU already be misconfigured to a smaller value it will be used as configured so check your configuration and clear the MTU value if you want the system to decide about the effective parent MTU size.

Another change in far gateway handling is also included which prevents a monitoring failure if that particular gateway was not being designated as default during boot which made the routing table miss the essential interface route and monitoring would always report it as down. Now the interface route is ensured but not only when applying the default gateway so that it works all the time.

Also fixed was the problematic migration of the Unbound interfaces settings which now clears the possibly unknown interfaces in order to proceed and have Unbound up and running post update which was not the case for some users previously.

Other reliability improvements and third party security updates are included as well. We also continue our effort to clean up the interface handling code and audit the MVC model files for consistency. A missing change for out of the box DS-Lite support is also being tested on the development version now and will likely hit in 23.7.6.

Here are the full patch notes:

  • system: pluginctl: allow -f mode to drop config properties

  • system: switch to /usr/sbin/nologin as authoritative command location

  • system: remove remaining spurious ifconfig data pass to Gateways class

  • system: fix data cleansing issue in “column_count” and “sequence” values on dashboard

  • system: start gateway monitors after firewall rules are in place (contributed by Daggolin)

  • system: refactor far gateway handling out of default route handling

  • interfaces: use interfaces_restart_by_device() where appropriate

  • interfaces: allow get_interface_ipv6() to return in all three IPv6 variants

  • interfaces: add GRE/GIF/bridge/wlan return values

  • interfaces: signal wlan device creation success/failure

  • interfaces: update link functions for GIF/GRE

  • interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload

  • interfaces: update read-only bridge member code

  • interfaces: redirect after successful interface add

  • interfaces: add interface return feature for use on bridges/assignment page

  • interfaces: VIP model style update

  • interfaces: implement interface_configure_mtu()

  • interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)

  • firewall: fix cleanup issue when renaming an alias

  • dhcp: make dhcrelay code use the Gateways class

  • ipsec: add local_port and remote_port to connections (contributed by Monviech)

  • openvpn: force instance interface down before handing it over to daemon

  • openvpn: add missing up and down scripts to instances (contributed by Daggolin)

  • unbound: properly set a default value for private address configuration

  • unbound: allow disabled interfaces in interface field

  • unbound: migrate active/outgoing interfaces discarding invalid values

  • unbound: UX improvements on several pages

  • unbound: update model

  • mvc: update diagnostics models

  • mvc: add isLinkLocal()

  • plugins: os-upnp replaces calls to obsolete get_interface_ip()

  • plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()

  • plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunnyvalley)

  • plugins: os-tinc adds missing subnet-down script (contributed by andrewhotlab)

  • ports: curl 8.3.0 [1]

  • ports: nss 3.93 [2]

  • ports: openssl 1.1.1w [3]

  • ports: phalcon 5.3.1 [4]

  • ports: phpseclib 3.0.23 [5]

  • ports: sqlite 3.43.1 [6]

  • ports: suricata 6.0.14 [7]

23.7.4 (September 14, 2023)

The usual amount of improvements go out today with FreeBSD security advisories on top. The new Python version was also picked up.

Note that the WireGuard plugin improvement effort is still going on and this time we refreshed the dashboard widget as that was being requested a number of times. The Polish language has been added to the GUI as well.

Here are the full patch notes:

  • system: correctly set RFC 5424 on remote TLS system logging

  • system: remove hasGateways() and write DHCP router option unconditionally

  • system: avoid plugin system for gateways monitor status fetch

  • system: remove passing unused ifconfig data to Gateways class on static pages

  • system: remove passing unused ifconfig data on gateway monitor status fetch

  • system: remove the unused “alert interval” option from the gateway configuration

  • interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account

  • interfaces: teach ifctl to dump all files and its data for an interface

  • interfaces: remove dead link/hint in GIF table

  • interfaces: avoid duplicating $vfaces array

  • interfaces: introduce interfaces_restart_by_device()

  • firewall: remove old __empty__ options trick from shaper model

  • firewall: update models for clarity

  • firmware: update model for clarity

  • ipsec: omit conditional authentication properties when not applicable on connections

  • ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)

  • ipsec: allow the use of eap_id = %any in instances

  • openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)

  • openvpn: add CARP VHID tracking for client instances

  • openvpn: add tun-mtu/fragment/mssfix combo for instances

  • openvpn: add “route-gateway” advanced option to CSO

  • openvpn: use new File::file_put_contents() wrapper for instances

  • openvpn: updated model and clarified “auth” default option

  • mvc: remove “non-functional” hints from form input elements

  • mvc: uppercase default label in BaseListField is more likely

  • ui: add bytes format to standard formatters list

  • plugins: os-ddclient 1.16 [1]

  • plugins: os-frr 1.36 [2]

  • plugins: os-wireguard 2.1 [3]

  • plugins: os-tinc 1.7 adds support for “StrictSubnets” variable (contributed by andrewhotlab)

  • lang: update translations and add Polish

  • src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)

  • src: axgbe: gracefully handle i2c bus failures

  • src: bnxt: do not restart on VLAN changes

  • src: ice: do not restart on VLAN changes

  • src: net: do not overwrite VLAN PCP

  • src: net: remove VLAN metadata on PCP / VLAN encapsulation

  • src: if_vlan: always default to 802.1

  • src: iflib: fix panic during driver reload stress test

  • src: iflib: fix white space and reduce some line lengths

  • src: ixgbe: define IXGBE_LE32_TO_CPUS

  • src: ixgbe: check for fw_recovery

  • src: net80211: fail for unicast traffic without unicast key [4]

  • src: pcib: allocate the memory BAR with the MSI-X table [5]

  • ports: php 8.2.10 [6]

  • ports: python 3.9.18 [7]

  • ports: unbound 1.18.0 [8]

23.7.3 (August 30, 2023)

Recently we improved the workflow for bringing language updates to the release so here we are with an updated translation package including added support for Korean. Thanks a lot to all contributors for keeping this going strong!

If you would like to help with translations you can sign up via:

https://poeditor.com/projects/view?id=179921

Of note is also the largely rewritten backend for the WireGuard kernel module plugin which offers separate services for each instance much like OpenVPN offers it. The requirement of the wireguard-tools and bash packages were removed. This also means the plugin will be moved to the core for 24.1 along with Wireguard go plugin being removed completely since on FreeBSD 13.2 no external package is needed to enjoy WireGuard and the permanent existence of a kernel module renders the Go fallback defunct through wireguard-tools/wg-quick implementation quirks.

Here are the full patch notes:

  • system: fix missing config save when RRD data is supplied during backup import

  • system: defer config reload to SIGHUP in gateway watcher

  • system: handle “force_down” state correctly in gateway watcher

  • system: make Gateways class argument optional

  • interfaces: tweak UX of interface settings page

  • interfaces: further improve PPP MTU handling

  • interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist

  • firewall: fix group priority handling regression

  • firewall: improve filter functionality to combine multiple network clauses in states page

  • dhcp: map interfaces to interface names instead of devices

  • dhcp: fix iaid_duid parsing in IPv6 lease page

  • intrusion detection: support “bypass” keyword in user-defined rules (contributed by Monviech)

  • openvpn: fix mismatch issue when pinning a CSO to a specific instance

  • openvpn: add advanced option for optional CA selection

  • unbound: fix concurrent session closing the handle while still writing data in Python module

  • web proxy: remove long deprecated “dns_v4_first” setting from GUI

  • mvc: extend PortField to optionally allow port type aliases

  • lang: update all languages and add Korean

  • plugins: os-firewall 1.4 adds port alias support

  • plugins: os-frr 1.35 [1]

  • plugins: os-wireguard 2.0 [2]

  • ports: filterlog fix to prevent crash on default rule number -1

23.7.2 (August 23, 2023)

Assorted improvements are being shipped with this release. Of special note is the proper monitoring of down gateways which allows the new gateway watcher to see the gateway come back online when plugging a cable. A Wazuh agent plugin was added and the ddclient plugin received new protocol support including AWS Route53 amongst others.

Here are the full patch notes:

  • system: improve monitoring of down gateways

  • system: clear all /var/run directories on bootup

  • system: put lock()/unlock() back for legacy plugin compatibility

  • interfaces: fix special device name chars used in shell variables

  • interfaces: prevent IPv6 mismatches when using compressed format in VIP

  • interfaces: remove descriptive name from newwanip logging

  • interfaces: typo in MRU handling for PPP

  • interfaces: improve PPPoE MTU handling

  • interfaces: switch rtsold to -A mode

  • firewall: missing interface group registration on group creation

  • dhcp: improve UX of the new MVC lease pages

  • firmware: remove defunct mirror “Dept. of CSE, Yuan Ze University”

  • intrusion detection: fix events originating from “int^” due to IPS mode use

  • ipsec: add colon to supported character list for pre-shared key IDs

  • ipsec: reqid should not stick when copying a phase 1

  • monit: fix empty timeout value (contributed by Michael Muenz)

  • openvpn: properly map user groups for authentication

  • openvpn: bring instances into server field

  • openvpn: fix separator for redirect-gateway attribute in instances and CSO

  • unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)

  • plugins: os-ddclient 1.15 [1]

  • plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)

  • plugins: os-relayd 2.7 now supports newer upstream release of relayd

  • plugins: os-wazuh-agent 1.0 [2]

  • src: remove if_wg from kernel modules to unbreak current wireguard-go use

  • src: axgbe: LED control for A30 platform

  • src: gif: revert in{,6}_gif_output() misalignment handling

  • src: igc: sync srrctl buffer sizing with e1000

  • src: ip_output: ensure that mbufs are mapped if ipsec is enabled

  • src: ixgbe: warn once for unsupported SFPs

  • src: ixgbe: add support for 82599 LS

  • src: ixl: add link state polling

  • src: ixl: port ice’s atomic API to ixl

  • src: rss: set pin_default_swi to 0 by default

  • src: rtsol: introduce an ‘always’ script

  • ports: krb5 1.21.2 [3]

  • ports: openldap 2.6.6 [4]

  • ports: openvpn 2.6.6 [5]

  • ports: php 8.2.9 [6]

  • ports: phalcon 5.3.0 [7]

  • ports: phpseclib 3.0.21 [8]

  • ports: py-dnspython 2.4.2

23.7.1 (August 08, 2023)

23.7 looks pretty good so far but no reason not to make it better. The MVC changes for DHCP, firewall groups, OpenVPN and Unbound receive several required fixes and the latest FreeBSD security advisories were added as well.

Here are the full patch notes:

  • system: close boot file after probing to avoid lock inheritance

  • system: fix lock() inheriting the lock state

  • system: give more context in process kill error case since we operate PID numbers only

  • firewall: groups were not correctly parsed for menu post-migration

  • firewall: hide row command buttons for internal groups

  • firewall: add “ipv6-icmp” to protocol list in shaper

  • firewall: fix PHP warnings on the rules pages

  • dhcp: check if manufacturer exists for IPv4 lease page to prevent error

  • dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error

  • dhcp: fix validation for static entry requirement

  • firmware: revoke 23.1 fingerprint

  • network time: support pool directive and maxclock (contributed by Kevin Fason)

  • openvpn: fix static key delete

  • openvpn: fix “mode” typo and push auth “digest” into export config

  • openvpn: fix race condition when using CRLs in instances

  • openvpn: remove arbitrary upper bounds on some integer values in instances

  • unbound: migration of empty nodes failed from 23.1.11 to 23.7

  • unbound: fix regression when disabling first domain override

  • mvc: fix empty item selection issue in BaseListField

  • plugins: os-ddclient 1.14 [1]

  • plugins: os-acme-client 3.19 [2]

  • src: bhyve: fully reset the fwctl state machine if the guest requests a reset [3]

  • src: frag6: avoid a possible integer overflow in fragment handling [4]

  • src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs

  • src: libpfctl: ensure the initial allocation is large enough

  • src: pf: handle multiple IPv6 fragment headers

  • ports: curl 8.2.1 [5]

  • ports: nss 3.92 [6]

  • ports: openssl 1.1.1v [7]

  • ports: perl 5.34.1 [8]

  • ports: py-dnspython 2.4.1

  • ports: strongswan 5.9.11 [9]

  • ports: syslog-ng 4.3.1 [10]

A hotfix release was issued as 23.7.1_3:

  • firewall: do not clone “associated-rule-id”

  • network time: fix “Soliciting pool server” regression (contributed by Allan Que)

  • dhcp: fix IPv4 lease removal

23.7 (July 31, 2023)

For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

23.7, nicknamed “Restless Roadrunner”, features numerous MVC/API conversions including the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full patch notes against 23.1.11:

  • system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect

  • system: fix assorted PHP 8.2 deprecation notes

  • system: fix assorted permission-after-write problems

  • system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported

  • system: enabled web GUI compression (contributed by kulikov-a)

  • system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses

  • system: allow “.” DNS search domain override

  • system: on boot let template generation wait for configd socket for up to 10 seconds

  • system: do not allow state modification on GET for power off and reboot actions

  • system: better validation and escaping for cron commands

  • system: better validation for logging user input

  • system: improve configuration import when interfaces or console settings do not match

  • system: name unknown tunables as “environment” as they could still be supported by e.g. the boot loader

  • system: sanitize $act parameter in trust pages

  • system: add severity filter in system log widget (contributed by kulikov-a)

  • system: mute openssl errors pushed to stderr

  • system: add opnsense-crypt utility to encrypt/decrypt a config.xml

  • system: call opnsense-crypt from opnsense-import to deal with encrypted imports

  • interfaces: extend/modify IPv6 primary address behaviour

  • interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)

  • interfaces: introduce a lock and DAD timer into newwanip for IPv6

  • interfaces: rewrite LAGG pages via MVC/API

  • interfaces: allow manual protocol selection for VLANs

  • interfaces: remove null_service toggle as empty service name in PPPoE works fine

  • interfaces: on forceful IPv6 reload do not lose the event handling

  • interfaces: allow primary address function to emit device used

  • firewall: move all automatic rules for interface connectivity to priority 1

  • firewall: rewrote group handling using MVC/API

  • firewall: clean up AliasField to use new getStaticChildren()

  • firewall: “kill states in selection” button was hidden when selecting only a rule for state search

  • firewall: cleanup port forward page and only show the associated filter rule for this entry

  • captive portal: safeguard template overlay distribution

  • dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API

  • dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)

  • dhcp: align router advertisements VIP code and exclude /128

  • dhcp: allow “.” for DNSSL in router advertisements

  • dhcp: print interface identifier and underlying device in “found no suitable address” warnings

  • firmware: opnsense-version: remove obsolete “-f” option stub

  • firmware: properly escape crash reports shown

  • firmware: fix a faulty JSON construction during partial upgrade check

  • firmware: fetch bogons/changelogs from amd64 ABI only

  • ipsec: add missing config section for HA sync

  • ipsec: add RADIUS server selection for “Connections” when RADIUS is not defined in legacy tunnel configuration

  • ipsec: only write /var/db/ipsecpinghosts if not empty

  • ipsec: check IPsec config exists before use (contributed by agh1467)

  • ipsec: fix RSA key pair generation with size other than 2048

  • ipsec: deprecating tunnel configuration in favour of new connections GUI

  • ipsec: clean up SPDField and VTIField types to use new getStaticChildren()

  • ipsec: add passthrough networks when specified to prevent overlapping “connections” missing them

  • monit: fix alert script includes

  • openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]

  • openvpn: rewrote client specific overrides using MVC/API

  • unbound: rewrote general settings and ACL handling using MVC/API

  • unbound: add forward-tcp-upstream in advanced settings

  • unbound: move unbound-blocklists.conf to configuration location

  • unbound: add database import/export functions for when DuckDB version changes on upgrades

  • unbound: add cache-max-negative-ttl setting (contributed by hp197)

  • unbound: fix upgrade migration when database is not enabled

  • unbound: minor endpoint cleanups for DNS reporting page

  • wizard: restrict to validating only IPv4 addresses

  • backend: minor regression in deeper nested command structures in configd

  • mvc: fill missing keys when sorting in searchRecordsetBase()

  • mvc: properly support multi clause search phrases

  • mvc: allow legacy services to hook into ApiMutableServiceController

  • mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng

  • mvc: add generic static record definition for ArrayField

  • ui: introduce collapsible table headers for MVC forms

  • plugins: os-acme-client 3.18 [3]

  • plugins: os-bind 1.27 [4]

  • plugins: os-dnscrypt-proxy 1.14 [5]

  • plugins: os-dyndns removed due to unmaintained code base

  • plugins: os-frr 1.34 [6]

  • plugins: os-firewall 1.3 allows floating rules without interface set (contributed by Michael Muenz)

  • plugins: os-telegraf 1.12.8 [7]

  • plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL

  • plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL

  • src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode

  • src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled

  • src: ipsec: add PMTUD support

  • src: FreeBSD 13.2-RELEASE [8]

  • ports: krb5 1.21.1 [9]

  • ports: nss 3.91 [10]

  • ports: phalcon 5.2.3 [11]

  • ports: php 8.2.8 [12]

  • ports: py-duckdb 0.8.1

  • ports: py-vici 5.9.11

  • ports: sudo 1.9.14p3 [13]

  • ports: suricata now enables Netmap V14 API

Migration notes, known issues and limitations:

  • The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.

  • Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.

  • IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL announcement will be made next year.

  • The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.

  • The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.

The public key for the 23.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-23.7-dvd-amd64.iso.bz2) = bf67374d04fb00a29d80f9870ac86491b0a87d5dd386c2bd97def0691547e263
# SHA256 (OPNsense-23.7-nano-amd64.img.bz2) = 4adbbd69d0ce1766395555475ea29713f9043735a0c9067206d9945cb626200a
# SHA256 (OPNsense-23.7-serial-amd64.img.bz2) = 03c774f53520414c73cdcaa4fe3b34c4165395963bef74c533c3878a07b80138
# SHA256 (OPNsense-23.7-vga-amd64.img.bz2) = 8a235d2cba717b9b2ea4d5588028c087adc6ff472ae8efd381a26a9640298c67

23.7.r3 (July 26, 2023)

Quick release candidate update. Last one. Promise.

Still on track for the final release on July 31.

Here are the full patch notes:

  • interfaces: on forceful IPv6 reload do not lose the event handling

  • interfaces: allow primary address function to emit device used

  • dhcp: print interface identifier and underlying device in “found no suitable address” warnings

  • wizard: restrict to validating only IPv4 addresses

Stay safe, Your OPNsense team

23.7.r2 (July 24, 2023)

Quick release candidate update. May or may not be the last one this week depending on the feedback we will receive. So far thanks to all the brave testers!

Still on track for the final release on July 31.

Here are the full patch notes:

  • system: mute openssl errors pushed to stderr

  • system: add opnsense-crypt utility to encrypt/decrypt a config.xml

  • system: call opnsense-crypt from opnsense-import to deal with encrypted imports

  • interfaces: rewrite LAGG pages via MVC/API

  • interfaces: allow manual protocol selection for VLANs

  • interfaces: remove null_service toggle as empty service name in PPPoE works fine

  • monit: fix alert script includes

  • ipsec: add passthrough networks when specified to prevent overlapping “connections” missing them

  • unbound: fix upgrade migration when database is not enabled

  • unbound: minor endpoint cleanups for DNS reporting page

  • firmware: fix a faulty JSON construction during partial upgrade check

  • ports: openssh 9.3p2 [1]

23.7.r1 (July 20, 2023)

For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full patch notes against 23.1.11:

  • system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect

  • system: fix assorted PHP 8.2 deprecation notes

  • system: fix assorted permission-after-write problems

  • system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported

  • system: enabled web GUI compression (contributed by kulikov-a)

  • system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses

  • system: allow “.” DNS search domain override

  • system: on boot let template generation wait for configd socket for up to 10 seconds

  • system: do not allow state modification on GET for power off and reboot actions

  • system: better validation and escaping for cron commands

  • system: better validation for logging user input

  • system: improve configuration import when interfaces or console settings do not match

  • system: name unknown tunables as “environment” as they could still be supported by e.g. the boot loader

  • system: sanitize $act parameter in trust pages

  • system: add severity filter in system log widget (contributed by kulikov-a)

  • interfaces: extend/modify IPv6 primary address behaviour

  • interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)

  • interfaces: introduce a lock and DAD timer into newwanip for IPv6

  • firewall: move all automatic rules for interface connectivity to priority 1

  • firewall: rewrote group handling using MVC/API

  • firewall: clean up AliasField to use new getStaticChildren()

  • firewall: “kill states in selection” button was hidden when selecting only a rule for state search

  • firewall: cleanup port forward page and only show the associated filter rule for this entry

  • captive portal: safeguard template overlay distribution

  • dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API

  • dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)

  • dhcp: align router advertisements VIP code and exclude /128

  • dhcp: allow “.” for DNSSL in router advertisements

  • firmware: opnsense-version: remove obsolete “-f” option stub

  • firmware: properly escape crash reports shown

  • ipsec: add missing config section for HA sync

  • ipsec: add RADIUS server selection for “Connections” when RADIUS is not defined in legacy tunnel configuration

  • ipsec: only write /var/db/ipsecpinghosts if not empty

  • ipsec: check IPsec config exists before use (contributed by agh1467)

  • ipsec: fix RSA key pair generation with size other than 2048

  • ipsec: deprecating tunnel configuration in favour of new connections GUI

  • ipsec: clean up SPDField and VTIField types to use new getStaticChildren()

  • openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]

  • openvpn: rewrote client specific overrides using MVC/API

  • unbound: rewrote general settings and ACL handling using MVC/API

  • unbound: add forward-tcp-upstream in advanced settings

  • unbound: move unbound-blocklists.conf to configuration location

  • unbound: add database import/export functions for when DuckDB version changes on upgrades

  • unbound: add cache-max-negative-ttl setting (contributed by hp197)

  • backend: minor regression in deeper nested command structures in configd

  • mvc: fill missing keys when sorting in searchRecordsetBase()

  • mvc: properly support multi clause search phrases

  • mvc: allow legacy services to hook into ApiMutableServiceController

  • mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng

  • mvc: add generic static record definition for ArrayField

  • ui: introduce collapsible table headers for MVC forms

  • plugins: os-acme-client 3.18 [3]

  • plugins: os-dnscrypt-proxy 1.14 [4]

  • plugins: os-dyndns removed due to unmaintained code base

  • plugins: os-frr 1.34 [5]

  • plugins: os-telegraf 1.12.8 [6]

  • plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL

  • plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL

  • src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode

  • src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled

  • src: ipsec: add PMTUD support

  • src: FreeBSD 13.2-RELEASE [7]

  • ports: krb5 1.21.1 [8]

  • ports: nss 3.91 [9]

  • ports: php 8.2.8 [10]

  • ports: py-duckdb 0.8.1

  • ports: py-vici 5.9.11

  • ports: sudo 1.9.14p2 [11]

  • ports: suricata now enables Netmap V14 API

Migration notes, known issues and limitations:

  • The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.

  • Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.

  • IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL announcement will be made next year.

  • The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.

  • The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.

The public key for the 23.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-23.7.r1-dvd-amd64.iso.bz2) = ffc2fe24b16bf45b84223ccf78780e94715e695d6ef50bbb041dc1697dcd7862
# SHA256 (OPNsense-23.7.r1-nano-amd64.img.bz2) = d2e3de7d7919b0aaafe80c92ec944b94ebb005220e46ed71d8f816236bf4feab
# SHA256 (OPNsense-23.7.r1-serial-amd64.img.bz2) = 61b594799c1ab9c2daab9adcff93793bf54f875067a7ddec070ade1d67db3689
# SHA256 (OPNsense-23.7.r1-vga-amd64.img.bz2) = 5e90b9fd076a206409474d3667ee11439ecb86f44dbcb1bc339e96b5a83c5a28